mTLS¶
This post is all about requiring mTLS through a CloudFlare proxy. It's actually not very difficult to set up and is a great alternative to using zero trust.
Step 1: Configure your Cloudflared Tunnel¶
Just make sure your domain works as expected from your mobile network.
Step 2: Generate a Client Certificate¶
Go to the domain portal, then the SSL/TLS menu, and select Client Certificates. Click the Button Create Certificate. You will see a certificate and a key. Copy these into text files and save them as client.crt and client.key. We'll need them to generate a .pfx file which bundles them in an encrypted file.
Also, under Hosts where it says Choose which host(s) you wish to enable mTLS. Make sure you add your subdomain to actually enable it, to otherwise it won't work.
Create the Rule¶
Stay in the domain portal, and go to Security -> Security Rules. Click on Templates and find the Template for Enforce mTLS authentication.
On the Trigger When, Change the second condition from URI Path to Hostname, wildcard, and then set the wildcard to paperless.domain.com*. You can now save that.
Generate a pfx file¶
You need OpenSSL to do this. Run the following command
This of course assumes that you are in the working directory where the key and crt files are located.
You will be prompted to set an encryption password on the key. This needs to be rather long for it to work properly. I used a 20 digit passphrase.
Use the pfx file¶
Ok, now you just need to get that file to you mobile application and you should be good to go, select it and enter the passphrase. Your app should now be able to connect to the server. Meanwhile, the browser still doesn't work!